if no BPDU received after 20 second the port will move to listening state

Listening

last 15 second (default Forward-Time)

the switch will listen for incoming BPDUs

the switch will not add any mac-address received to the mac-address table

Learning

last 15 second (default Forward-Time)

the switch start to transmit BDPU

the switch still listening to BDPU

the switch will start adding mac-addresses to the mac-address table

Forwarding

the port will send and receive frames

point’s to take in mind from the stats of common spanning-tree

it will take 30 second for a port to be operational (2x Forward-Time)

it will up to 50 second for the backup port to be operational ( 20 + 15 +15)

there are ways to avoid such long period, I will mention them in the enhancements section .

rapid spanning-tree

discarding (instead of disabled)

discarding (instead of blocking)

discarding (instead of listening)

learning (same)

forwarding (same)

we haven’t talked about rapid spanning-tree yet, there is no big difference so don’t worry about it for now

Port Roles

port state forwardingwill have 2roles :

Root port

this is best port to reach the Root Bridge

the state is forward and the role is Root

Designated port

all other ports except the root port and the blocked ports

all Root Bridge ports at designated

the state is forward and the role is Designated

Port state Blockedwill have 2roles :

Alternate

this is the backup route for root port

the state is Blocked and the role is Alternate

Backup

this the backup for links on the same segment

you will see this with a hub

the state is blocked and the role is Backup

Types of Spanning-Tree

1: spanning-tree (802.1D) ( mono Spanning-tree) (MST)

Normal version of spanning-tree created @1990

there is another version created @1998

2:Per vlan Spanning-tree (PVST)

for cisco switchs only, cisco switches don’t run the normal 802.1D which runs 1 instance for all vlans, instead they made the PVST which runs a different instance for every vlan.

each vlan traffic flow is different from the other vlan, that depened on where is the root bridge for that vlan.

Cisco used the 802.1D BPDU format

on trunks those BPDUs are encapsulated in the ISL header, which has the vlan ID + BPDU flag.

at the time only Cisco switches had trunks , which is ISL Trunk .

3: Per vlan Spanning-tree Plus (PVST+) (Shared Spanning-Tree) (SSTP)

runs by default on cisco switches

(+) is an enhancement that makes switches use cisco proprietary multicast address + the ieee multicast address, when you have non-cisco switch between cisco switches,

this cisco multi-cast address will allow the flooding of PVST+ across non-cisco switchs.

the original PVST wasn’t supported by 802.1Q Trunk protocol .

more

4: Rapid Spanning-tree (802.1w) (new name 802.1D-2004)

enhanced version of spanning tree to speed up convergence by introducing the concept of proposal and agreement.

at 2004 802.1D-1998 has been removed , and 802.1W + some addtions is now called 802.1D-2004 . !! strange !!

5: Rapid per Vlan Spanning-tree (Rapid PVST+)

for cisco switches only

Cisco again made it’s switches run a different instance of 802.1w for each vlan.

6: multiple spanning-tree (MSTP) (802.1s) ( 802.1Q-2005)

well, the take away from this is that : when you want to see the IEEE RFC for rapid-spanning-tree go for 802.1D-2004

what is per Vlan spanning tree (PVST+)

This photo is why we use spanning-tree per vlan

important Notifications:

switch 1 is the root bridge for all vlans

all the traffic between accounting and human-resources will go through sw-1, because the link between sw-2 and sw-3 is blocked.

the Fix : give each vlan its own instance of spanning-tree

for such simple topology and since we have 3 root bridges. we are going to make reallocation we want.

important notifications :

we have 3 root Bridges

all port stats have been removed because it’s a topology diagram. not flow diagram

to draw the flow diagram we have to make 3 drawing, 1 for each vlan, here the traffic flow.

Click on the image then zoom if you want.

from the drawing you can see that each port will have 3 stats, which depend on traffic, if the traffic is going to vlan 2 so the link between Sw-3 and Sw-1 will be block , if it’s going to Vlan then the link between Sw-2 and Sw-2 will be block.

when you choose the root bridge placement you consider the traffic flow .

PSVT+ Topology Change Notifications

when a link fails, the switch will take up to 50 second to recover.

but the mac-address table entries will take 5 min.

so even after the reachability to the root is fixed, your switch still send the traffic in the wrong direction

for such purpose there is a special message called “Topology change notification” (TCN)

TCN triggers

a switch become the root switch

Port goes down (very bad if the port connected to PC)

port from learning –> blocking

port from learning –> forwarding

with at least one designated port

Port fast doesn’t trigger topology change

when one of these event occur, the switch with the event will send TCN message to notify to root bridge

the message doesn’t include the sender bridge ID

it will be sent to the root and each switch acknowledge the previous one until it reach the root bridge

the switch will keep sending the TCN to the next switch until it receives an ACK

when the root Bridge receive the TCN message it will do the following :

the root will flood this message for 35 second (Max-Age + Forward-Time), by Setting a flag called TC-Flag on it’s BPDU’s

during that time all BPDU’s are called Topology-Change BDPU (TC-BPDU)

that BPDU is reducing the cam table time from 5 minutes to 15 second (forward-delay time) on all receiving switches

all switches that receive this TC-BPDU will also reduce cam table to (forward-delay time)

each switch relay that BPDU to the other switches after some modifications

adding Root port cost

source Bridge ID

source port ID

increment message-age

BPDU are only send & relayed through Designated ports

switches doesn’t send BPDU out from Root ports & blocked ports ( it’s useless since they are going to be inferior BPDUs)

Designated port store the BPDU they send

Root and blocking port store the best received BPDU

received BPDU will expire in Max-age – Message-age

Failure Handling

Direct Failure

In-Direct Failure

Spanning-tree enhancements

Port fast

BPDU guard

BPDU Filter

Root guard

Loop guard

Uplink fast ( Built in rapid spanning tree)

Backbone fast (Built in rapid spanning tree)

UDLD

1: Port Fast

instead of going through listening and learning, the port will go to forwarding immediately.

doesn’t trigger topology change.

this point is the most important, because if your access-ports cause TCN when ever you connect a host, your entire network can be congested from the flooding of unicast frame that has no entry in the mac-address table because of the 15 second max-age.

better to use this feature as you can.

can cause a loop if you connected a switch to unprotected port.

activation methods

Sw-1(config-if)#spanning-tree portfast

Sw-1(config)#spanning-tree portfast

activate portfast on all access links

Sw-1(config-if)#switchport host

set mode to access

enable port-fast

disable channel-group

Sw-1(config)#spanning-tree portfast default(default will enable it on all access-ports)
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.

2: BPDU guard

used with portfast to protect the network if someone connected a switch instead of Host

if a BPDU received on this port the port will go into err-disable mode

if a switch has port and this port stats is blocked, and if for some reasons the BPDU comming to that blocked port stopped, this port will go to forwarding state, and if the reason stop is bidirectional problem then a loop will occur .

the loop guard will keep the port in the blocking state.

6: Uplink fast

Work with direct physical lose only

Require at least 1 blocked port .

Activated on all vlans and cannot be enabled for individual vlan

Change the blocked port immediately to be root port and save 30 second of learning and listening .

Create a dummy multicast on behave of the hosts with a default rate of 150 pps for learned mac-addresses

if SW1 is connected to other switches that send frames to SW2 , it will be sent to E0/1 which is down.

thus SW2 will flood those multicast so SW1 know that those addresses are at E0/2 not E0/1 .

Should be applied on access-layer switch , because of the dummy mac-address implementation and that’s why it :

add 3k to the port cost (to ensure that port is not likely to be elected as Designated port)

makes the priority 49152 ( to ensure that the switch is not likely the root Bridge because the root doesn’t have Root ports )

when the E0/1 comes up, it will take 2x forwarding-delay (30 second) + 5 second( cdp/ ether…etc) for the port to reach the forwarding state.

7: BackBone fast

work with indirect failure

instead of waiting MaxAge-MessageAge to move a blocking port from blocking to listening the switch will save that time (~20 sec ) and move the port directly to listening .

when a switch receive an inferior BPDU, instead of ignoring it . it will check to see if current root bridge is still active or not

if the Root Bridge is active, then the blocking port will be moved to listening and the current root BPDU will be forwarded to the switch that claiming to be the root

must be activated on all switches , or RLQ will not be responded .

Manipulating Root Bridge (Per Vlan)

1: change priority

the switch with the lowest priority will win

priority 0 will become the root if it has lowest mac-address when there is another switch with priority.

example :

sw-3(config)#spanning-tree vlan 1 priority 0

2: Root Primary command

Usage

to make non root switch be the root bridge with out adjusting priority.

behavior

when the Root Bridge priority is more than 24576

the switch will set the its priority to 24576. and declare himself the root bridge.

when the Root Bridge priority is less than or equal to 24576 :

if the switch mac-address is lower than the root

the switch will set the priority as the same as the root, since he is going to win because his mac-address is low

if the switch mac-address is higher than the root

is such case the switch will change the priority to next lower one to win .

limitation

if the root bridge has a priority of 0 and you tried to apply this command you will get error message.

this command doesn’t automatically respond to topology change, if you changed the priority in a switch and that switch became the root bridge. you have to manually re-enter this command

if we again to sw-3 and re applied the command, the priority will go to the next lower step.

Example for priority 0 error message

sw-3(config)#spanning-tree vlan 1 root primary
% Failed to make the bridge root for vlan 1
% It may be possible to make the bridge root by setting the priority
% for some (or all) of these instances to zero.

3: Root secondary command ( be careful )

usage

this command will adjust the priority of a switch in case the root bridge failed that switch take over.

behavior

this command is very tricky, because it will set the priority to 28672 .

if the root bridge priority is 32768, then the switch with the secondary command is now the root bridge. and if you are running common spanning-tree you might cause 30 second outage.

the command assume that switches other than the root is 32768 so it choose 28672 to be the backup as if the root is lower than this.